Boom! Now we know that we have command execution! What can we do with this?

Trial and Error

The first target was the common CTF strategy: get a shell and cat the flag. We can attempt to do this with a Powershell RAT from PowershellEmpire. After about 30 - 45 minutes of testing, we realize the callbacks are not reaching our server from the victim, even though they work locally with a test environment. There must be a firewall or something blocking outbound traffic in the way. But we received traffic from the server already.. hmm..

Padding FTW

We know that ICMP echo requests reach our server just fine. We also know that we can execute commands via our VBScript. Is there a way to send pings via something like.. Powershell?! (I got really excited since this was my first time to use Powershell in a CTF). Let’s see how we can send an ICMP echo request.

Cory Duplantis

I am a senior security researcher for Cisco Talos and play on Samurai for CTFs. Being happily married, CTFs, tool development, and singing barbershop take up the majority of my time. This blog is the home for my CTF writeups, development tricks, and other random hacker tips.